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Introduction 


1. The BBC welcomes the clarity the ICO’s draft Code brings on direct marketing 
activities, especially the incorporation of guidance that was previously set out in 
several ICO publications such as its guidance on PECR and the GDPR. We also 
welcome the inclusion of practical examples and further clarity on the ICO’s 


approach to specific direct marketing activities, such as loyalty schemes. 


2. Weare pleased to comment on elements of the Code which fall within our areas of 
marketing activity. As a public service broadcaster, the BBC has a specific 
obligation, as per our Mission, to act in the public interest and serve all audiences 
through the provision of impartial, high-quality and distinctive output and services 
which inform, educate and entertain. Marketing plays a crucial role in our ability to 
reach our audiences, in that it allows us to communicate with them outside of BBC- 
owned media (e.g. BBC One, Radio 2, BBC iPlayer), and on third party platforms 
where they may spend more time (e.g. Facebook, Instagram, Google, YouTube, 
Twitter, Snapchat). Marketing is a particularly important tool to reach younger 


audiences, given shifts in viewing and listening habits’. 


3. In our response below, we have set out details of those parts of the draft Code 
where we would ask the ICO to either: (i) provide further clarity; (ii) reconsider its 
approach; or (iii) highlight the availability of a proportionate and risk based 


approach. 


1 For example, Ofcom found that the most-watched platform in 2018 for 16-24s was YouTube. Source: Ofcom 
Media Nations, 2019. 
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The relationship between PECR and the GDPR 

4. The Code contains several references to the ICO’s view that if direct marketing 
activities require consent under PECR (i.e. the direct marketing activities involve 
the use of cookies and/or email marketing) then consent should be, or is likely to 
be, the lawful basis under the GDPR where personal data (not Special Category 
Data) is processed in connection with such activities, such as 
segmentation/profiling. In particular we refer to pages 24, 30 and 34 of the Code. 
Whilst there may be circumstances where consent may be the appropriate lawful 
basis, such as the profiling described under Article 22 of the GDPR, that Article 
also recognises the availability of contractual necessity as an equally appropriate 
lawful basis. 


(L 


5. Whilst it is accepted that legitimate interests cannot be used to “...legitimise 
processing that is unlawful under other legislation” (as stated on page 30 of the 
draft Code), the BBC believes that using legitimate interests to process personal 
data derived from a cookie where consent has been given under PECR for that 
cookie to be deployed would not infringe the principle quoted. Similarly, whilst it 
is also accepted that consent is generally a PECR requirement to send unsolicited 
email, the processing of personal data comprised within that communication under 


the legitimate interest basis would not infringe the principle quoted, where a PECR 


consent has been validly obtained. 


6. We therefore believe that ICO should reconsider its conclusions on the 
interrelationship between PECR based consent and the requirement for a GDPR 


based consent. 


Joint Controllers 
7. A passage at page 27 of the draft Code suggests that joint controllers must put in 
place a “transparency agreement”. It would be helpful if the ICO clarified that its 
reference to an “agreement” is not intended to suggest that an agreement is 
required in place of the Article 26 requirement for an “arrangement” between joint 


controllers. 
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Indirect Consent 


8. 


Page 42 of the draft Code states that consent obtained via a third party (indirect 
consent) does not last as long as consent obtained directly from the individual. We 
invite the ICO to reconsider this view: provided that the indirect consent meets the 
GDPR standard of consent (i.e. amongst other things the entity relying on consent 
is named), we consider that there should be no difference in the longevity of 


consent obtained directly or indirectly. 


Invisible Processing 


9. 


Page 50 of the draft Code states that if an entity does not “actively” tell people 
about processing then that processing is invisible, resulting in the requirement to 
conduct a DPIA. The BBC believes that the publication of a GDPR compliant 
privacy policy that, in turn, complies with the guidance on transparency, does 


constitute an active means of communication. 


Legitimate Interests and Profiling 


10. On page 58 the ICO states that it is unlikely that a controller can use legitimate 


11. 


interest as its lawful basis for “intrusive” profiling. It would be helpful if the ICO 
could provide further clarification of what is intended by the reference to the word 
“intrusive”. In particular, whether this refers to the profiling described in Article 22 
of the GDPR which has a significant or legal impact on the data subject or to 


intrusion in a wider sense. 


Page 95 of the draft Code states that it is likely consent will be the appropriate 
lawful basis under GDPR for any behavioural advertising or profiling. However the 
BBC would like to reiterate the point made under the section where we discuss the 
interrelationship between GDPR and PECR consent: namely that Articles 21 and 
22 of the GDPR contemplate two profiling regimes. Article 22 profiling may require 
consent and Article 21 profiling which is subject to the right to object. Neither 
Article expressly removes the ability for a controller to use legitimate interest 


subject to the fulfilment of the balancing test. 
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Instigation and Sending 
12. Page 83 of the draft Code states that if Company A is encouraged by Company B 
to “send its emails” then both companies require the individual’s consent to send 
the email. It would be helpful if the ICO provided further clarity on this point. In 
particular, is the reference to “its” a reference to Company A’s or Company B’s 
emails? In addition it would be helpful for the ICO to clarify that references to 
Company A are not intended to cover a service provider engaged by Company B to 


send Company B’s marketing messages. 


Social Media Targeting 
13. Page 90 of the draft Code states that it is likely that consent, and not legitimate 
interest, is the appropriate lawful basis for a controller if it elects to use Custom 
Audiences. Whilst it is helpful that the Code does not suggest that legitimate 
interest can never be used for such activity, we believe the Code should adopt a 
more balanced approach to the balancing test. In particular, whilst the Code states 
that individuals are unlikely to expect this type of processing (a view which the BBC 
does not believe applies to all individuals), we suggest that the Code also provides 
an example of where the Controller's legitimate interest takes precedence. Social 
media is an important element of the BBC’s marketing inventory, especially with 
younger audiences (16-34s). One of the most effective ways of reaching the 
younger (16-34) audience demographic with marketing is via social media, and as 
a publicly funded organisation, the BBC needs to bring audiences to its services 


and platforms that they help pay for. 


Cookie Walls 
14. It would be helpful if the ICO could provide further clarification on the lawfulness 
or otherwise of “cookie walls”, especially in the context of where a user is given the 


choice of a paid for route as an alternative to a cookie based ad funded model. 


Direct Marketing by Email 
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15. The draft Code provides guidance on the application of PECR on the use of tracking 
pixels within direct marketing emails. Given the technical limitations for obtaining 
consent via an email, it would be helpful if the ICO could provide some guidance as 
to how this might be achieved. For example, is this something that can be 
addressed in the marketing permission or can consent be obtained in the usual way 
when the individual visits the webpage that contains the marketing permission? 


What if this is on a third party website? Some examples in this area would be useful. 


